03-15-2011 12:25 PM - edited 03-11-2019 01:07 PM
%ASA-6-602101: PMTU-D packet 1420 bytes greater than effective mtu 1386, dest_addr=192.168.y.22, src_addr=192.168.x.51, prot=TCP
anybody see these in a windows environment. the traffic is from a workstation to fie server.
MTU is set to 1500 at site x
MTU is set to 1500 at site y
this traffice is just hitting the vpn tunnel on ASA at site y
it is destine to go to site X, vpn connects to another ASA there.
any ideas on this
Solved! Go to Solution.
03-15-2011 01:46 PM
Hi Keith,
Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?
also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.
Manish
03-15-2011 01:46 PM
Hi Keith,
Can you please describe the topololy a bit more, I am assuming that your work station is connecting to file share over a site to site or the workstation is connecting using remote vpn to one firewallA and then destination is across the site to site tunnel from that firewallA ?
also, you can try crypto ipsec df-bit clear-df outside on your firewalls, this will as it says will clear donot fragment bit for any packets getting into the tunnel.
Manish
03-16-2011 04:45 AM
Remote site HUb site
wrkst -----switch----asa5500 --------------l2l----------------------------------------------ASA(vpn hub)------switch----- fileserver
(in place for 10Mouths) (new install)
The workstation at the hub site is experiencing general issues of being able to communicated with a Domain controller and have group policy objects applied. and seen the domain controller as a time source throught the W32time service on the work station.
currently testing new reg key on workstation to resolve issue shows some promise.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery as a dword
PMTU discovery valuse 0 or 1 (Default = 1)
when PMTU discover is disabled,a MTU of 576 bytes is used for all non-local destination IP Address.
This seems to work. waiting on user feed back to see if these address all of their concerns.
I was think about "crypto ipsec df-bit clear-df outside " just have not found time to try it on the remote ASA.
03-16-2011 05:16 AM
Hi,
Try this document:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
HTH
Pavel
03-16-2011 06:07 AM
Same document I found reg key enteries for. I like the Crypto ipsec df-bit clear-df outside as its globally affects traffic for more than one machine. DO not have to touch ever machine just asa.
03-16-2011 07:24 AM
So easily solved my problem:
crypto ipsec df-bit clear-df outside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: